Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2020-36518] move jackson-databind to 2.13.2 #2544

Closed
wants to merge 2 commits into from
Closed

[CVE-2020-36518] move jackson-databind to 2.13.2 #2544

wants to merge 2 commits into from

Conversation

peternied
Copy link
Member

Description

Security took a fix for a opensearch-project/security#1687 and now is seeing a jar hell conflict. This will fix that conflict and fix the CVE in this version of OpenSearch

Caused by: java.lang.IllegalStateException: jar hell!
class: com.fasterxml.jackson.dataformat.cbor.CBORConstants
jar1: /opensearch/plugins/.installing-15168128924324[135](https://github.com/peternied/security/runs/5634491143?check_suite_focus=true#step:11:135)285/jackson-dataformat-cbor-2.13.2.jar
jar2: /opensearch/lib/jackson-dataformat-cbor-2.12.6.jar
	at org.opensearch.bootstrap.JarHell.checkClass(JarHell.java:317)
	at org.opensearch.bootstrap.JarHell.checkJarHell(JarHell.java:212)
	at org.opensearch.plugins.PluginsService.checkBundleJarHell(PluginsService.java:676)
	... 11 more

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@peternied
CVE-2020-36518 move jackson-databind to 2.13.2
82e09c6 
Signed-off-by: Peter Nied <petern@amazon.com>
@peternied peternied mentioned this pull request Mar 21, 2022
Merged
3 tasks
@peternied
Missing SHA for jackson-core-2.13.2.jar. Ran 'gradle updateSHAs' to c…
2357857 
…reate them

Signed-off-by: Peter Nied <petern@amazon.com>
@saratvemulapalli saratvemulapalli added dependencies Pull requests that update a dependency file >upgrade Label used when upgrading library dependencies (e.g., Lucene) v2.0.0 Version 2.0.0 labels Mar 21, 2022
@peternied
Copy link
Member Author

@saratvemulapalli I am attempting to merge this PR onto 1.x and you've labeled it as v2.0.0 should this PR be recreated against main?

@opensearch-ci-bot
Copy link
Collaborator

❌   Gradle Check failure 82e09c6
Log 3628

Reports 3628

@opensearch-ci-bot
Copy link
Collaborator

❌   Gradle Check failure 2357857
Log 3629

Reports 3629

@peternied
Copy link
Member Author

I believe the gradle check failure is resolved with #2543

* What went wrong:
Execution failed for task ':distribution:bwc:minor:buildBwcLinuxTar'.
> Building 1.3.0 didn't generate expected file /var/CITOOL/workflow/OpenSearch_CI/PR_Checks/Gradle_Check/search/distribution/bwc/minor/build/bwc/checkout-1.3/distribution/archives/linux-tar/build/distributions/opensearch-min-1.3.0-SNAPSHOT-linux-x64.tar.gz

nknize
nknize requested changes Mar 21, 2022
View reviewed changes
Copy link
Collaborator

@nknize nknize left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peternied yes. please update the version on main first and then backport through applying the backport labels. This way we have a seamless upgrade across branches.

@saratvemulapalli
Copy link
Member

@peternied yes. please update the version on main first and then backport through applying the backport labels. This way we have a seamless upgrade across branches.

Thanks for this @nknize. I missed the change is merging to 1.x :).

@peternied
Copy link
Member Author

Closing in favor of #2548

@peternied peternied closed this Mar 21, 2022
@peternied peternied deleted the 1.x branch March 21, 2022 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nknize nknize nknize requested changes

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file >upgrade Label used when upgrading library dependencies (e.g., Lucene) v2.0.0 Version 2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@peternied @opensearch-ci-bot @saratvemulapalli @nknize